Can you use Access-Control-Allow-Origin: * with credentials?
No. When using credentials: true (cookies, Authorization), you must specify the exact origin: Access-Control-Allow-Origin: https://myapp.com. The wildcard * does not work with credentials.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Fix CORS Errors in JavaScript
Configure the server to include CORS headers: Access-Control-Allow-Origin (your origin), Access-Control-Allow-Methods, Access-Control-Allow-Headers. Handle OPTIONS preflight with 204. Use the cors middleware in Express. Use a proxy in development.
No. CORS is enforced by the browser based on server headers. You cannot fix it from the client. The server must include the correct CORS headers. In development, use a proxy to avoid CORS entirely.
app.use((req, res, next) => { res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE'); res.header('Access-Control-Allow-Headers', 'Content-Type,Authorization'); if (req.method === 'OPTIONS') return res.sendStatus(204); next(); });
Still have questions?
Browse all our FAQs or reach out to our support team
